CN102158860A

CN102158860A - Radio node network-accessing method and system as well as relay node

Info

Publication number: CN102158860A
Application number: CN2010101114228A
Authority: CN
Inventors: 陈璟; 张爱琴
Original assignee: Huawei Technologies Co Ltd
Current assignee: Huawei Technologies Co Ltd
Priority date: 2010-02-12
Filing date: 2010-02-12
Publication date: 2011-08-17
Anticipated expiration: 2030-02-12
Also published as: CN102158860B; WO2011098048A1

Abstract

The embodiment of the invention relates to a radio node network-accessing method and system as well as a relay node. In the radio node network-accessing method and system as well as the relay node in the embodiment of the invention, through carrying a certificate in a message interacted between the relay node and a donor base station or home subscriber server or mobile management entity, authentication between the relay node and the donor base station or home subscriber server or mobile management entity is carried out; and through a DH (Diffie-Hellman) parameter between the relay node and the donor base station or home subscriber server or mobile management entity, a shared key similar to a key when user equipment accesses network is calculated, and finally, a radio bearer between the relay node and the donor base station is established, therefore, the authentication method based on the certificate when the relay node accesses the network is realized, and the relay node at the network side accesses the network more safely.

Description

Radio node method of network entry, system and via node

Technical field

The present invention relates to communication technical field, particularly a kind of radio node method of network entry, system and via node.

Background technology

The follow-up evolution of Long Term Evolution (Long Term Evolution-Advanced, abbreviation LTE-A) introduced via node (Relay Node in, be called for short RN), the demand that RN disposes for the throughput that improves the communication cell edge, the casual network that makes things convenient for operator or user and support group's locomotive function to be provided with.RN can be deployed in rural area, city, indoor etc. hot spot region or blind spot region.

In existing wireless access network (Radio Access Network is called for short RAN), when RN networks, the similar additional user devices of RN (User Equipment is called for short UE).Therefore, when RN networks, can not realize authentication method based on certificate.

Summary of the invention

The purpose of the embodiment of the invention is to provide a kind of radio node method of network entry, system and via node, when realizing that RN networks based on the authentication method of certificate.

The embodiment of the invention provides a kind of radio node method of network entry, comprising:

Set up in the process at via node and the Radio Resource control connection that is integrated with between the donor base station of home subscriber server, send the graceful parameter in Di Fei-Hull of the certificate and the described via node of described via node to described donor base station, so that described donor base station authenticates described via node according to the certificate of described via node;

Receive the certificate of the described donor base station that described donor base station sends and the graceful parameter in Di Fei-Hull of described donor base station, and described donor base station is authenticated according to the certificate of described donor base station;

If described via node and described donor base station authentication success, then according to Di Fei-Hull graceful calculation of parameter foundation key K of graceful parameter in the Di Fei-Hull of described via node and described donor base station;

Based on described foundation key K, authenticate and key agreement with mobile management entity; Carry out the control of Non-Access Stratum safe mode with described mobile management entity, and carry out the control of Access Layer safe mode, the radio bearer between foundation and the described donor base station with described donor base station.

The embodiment of the invention also provides a kind of via node, comprising:

Sending module, be used for setting up process at via node and the Radio Resource control connection that is integrated with between the donor base station of home subscriber server, send the graceful parameter in Di Fei-Hull of the certificate and the described via node of described via node to described donor base station, so that described donor base station authenticates described via node according to the certificate of described via node;

Receive authentication module, be used to receive the certificate of the described donor base station that described donor base station sends and the graceful parameter in Di Fei-Hull of described donor base station, and described donor base station is authenticated according to the certificate of described donor base station;

If computing module is used for described via node and described donor base station authentication success, then Di Fei-Hull graceful calculation of parameter foundation key K of the described donor base station that receives according to the graceful parameter in the Di Fei-Hull of described via node and described receiver module;

Module is set up in carrying, is used for the described foundation key K that calculates based on described computing module, authenticates and key agreement with mobile management entity; And be used for carrying out the control of Non-Access Stratum safe mode with described mobile management entity, and the control of the Access Layer safe mode between the described donor base station, the radio bearer between foundation and the described donor base station.

The embodiment of the invention also provides a kind of radio node networking system, comprising: mobile management entity, the donor base station that is integrated with home subscriber server and aforesaid via node,

The described donor base station that is integrated with home subscriber server, be used to receive the certificate of the described via node that described via node sends and the graceful parameter in Di Fei-Hull of described via node, and the graceful parameter in Di Fei-Hull that sends the certificate of described donor base station and described donor base station is to described via node; The described foundation key K of the graceful calculation of parameter in Di Fei-Hull according to graceful parameter in the Di Fei-Hull of described via node and described donor base station; Access Layer key according to described foundation key K calculates carries out the control of Access Layer safe mode with described via node;

Described mobile management entity is used to obtain the described donor base station that is integrated with home subscriber server based on the authentication vector that described foundation key K calculates, and according to described authentication vector, authenticates and key agreement with described via node; And be used for the Non-Access Stratum key that calculates according to described foundation key K, carry out the control of Non-Access Stratum safe mode with described via node.

The embodiment of the invention also provides a kind of radio node method of network entry, comprising:

Radio Resource control connection between via node and donor base station is set up in the process, send the graceful parameter in Di Fei-Hull of the certificate and the described via node of described via node by described donor base station to home subscriber server, so that described home subscriber server authenticates described via node according to the certificate of described via node;

Receive the certificate of the described home subscriber server that described home subscriber server sends and the graceful parameter in Di Fei-Hull of described home subscriber server by described donor base station, and described home subscriber server is authenticated according to the certificate of described home subscriber server;

If described via node and described home subscriber server authentication success, then according to Di Fei-Hull graceful calculation of parameter foundation key K of graceful parameter in the Di Fei-Hull of described via node and described home subscriber server;

The embodiment of the invention also provides a kind of via node, comprising:

Sending module, the Radio Resource control connection that is used between via node and donor base station is set up process, send the graceful parameter in Di Fei-Hull of the certificate and the described via node of described via node by described donor base station to home subscriber server, so that described home subscriber server authenticates described via node according to the certificate of described via node;

Receive authentication module, be used for receiving the certificate of the described home subscriber server that described home subscriber server sends and the graceful parameter in Di Fei-Hull of described home subscriber server, and described home subscriber server authenticated according to the certificate of described home subscriber server by described donor base station;

Computing module, be used for if described via node and described home subscriber server authentication success, then Di Fei-Hull graceful calculation of parameter foundation key K of the described home subscriber server that receives according to the graceful parameter in the Di Fei-Hull of described via node and described receiver module;

Module is set up in carrying, is used for the described foundation key K that calculates based on described computing module, authenticates and key agreement with mobile management entity; And be used for carrying out the control of Non-Access Stratum safe mode with described mobile management entity, carry out the control of Access Layer safe mode, the radio bearer between foundation and the described donor base station with described donor base station.

The embodiment of the invention also provides a kind of radio node networking system, comprising: mobile management entity, home subscriber server, donor base station and aforesaid via node,

Described home subscriber server, be used to receive the certificate of the described via node that described via node sends and the graceful parameter in Di Fei-Hull of described via node, and the graceful parameter in Di Fei-Hull that sends the certificate of described home subscriber server and described home subscriber server is to described via node; The described foundation key K of the graceful calculation of parameter in Di Fei-Hull according to graceful parameter in the Di Fei-Hull of described via node and described home subscriber server;

Described mobile management entity is used to obtain described home subscriber server based on the authentication vector that described foundation key K calculates, and according to described authentication vector, authenticates and key agreement with described via node; And be used for the Non-Access Stratum key that calculates according to described foundation key K, carry out the control of Non-Access Stratum safe mode with described via node;

Described donor base station is used to obtain the Access Layer key that described home subscriber server calculates based on described foundation key K, according to described Access Layer key, carries out the control of Access Layer safe mode with described via node.

The Radio Resource control connection of finishing between via node and the donor base station is set up;

Transmission carries the Attach Request message of the graceful parameter in Di Fei-Hull of the certificate of described via node and described via node to the mobile management entity that is integrated with home subscriber server, so that described mobile management entity authenticates described via node according to the certificate of described via node;

Receive the non-access layer information of the graceful parameter in Di Fei-Hull of certificate that carries mobile management entity that described mobile management entity sends and described mobile management entity, and described mobile management entity is authenticated according to the certificate of described mobile management entity;

If described via node and described mobile management entity authentication success are then shared key according to the graceful calculation of parameter in Di Fei-Hull of graceful parameter in the Di Fei-Hull of described via node and described mobile management entity;

Based on described shared key, carry out the control of Non-Access Stratum safe mode with described mobile management entity, and carry out the control of Access Layer safe mode, the radio bearer between foundation and the described donor base station with described donor base station.

The embodiment of the invention also provides a kind of via node, comprising:

Connect and set up module, the Radio Resource control connection that is used to finish between via node and the donor base station is set up;

Sending module, the Attach Request message of the graceful parameter in Di Fei-Hull that is used to send the certificate that carries described via node and described via node is to the mobile management entity that is integrated with home subscriber server, so that described mobile management entity authenticates described via node according to the certificate of described via node;

Receive authentication module, be used to receive the non-access layer information of the graceful parameter in Di Fei-Hull of certificate that carries mobile management entity that described mobile management entity sends and described mobile management entity, and described mobile management entity authenticated according to the certificate of described mobile management entity;

If computing module is used for described via node and described mobile management entity authentication success, and then the graceful calculation of parameter in Di Fei-Hull of the described mobile management entity that receives according to the graceful parameter in the Di Fei-Hull of described via node and described receiver module is shared key;

Module is set up in carrying, be used for the described shared key that calculates based on described computing module, carry out the control of Non-Access Stratum safe mode with described mobile management entity, and carry out the control of Access Layer safe mode, the radio bearer between foundation and the described donor base station with described donor base station.

The embodiment of the invention also provides a kind of radio node networking system, comprising: be integrated with mobile management entity, donor base station and the aforesaid via node of home subscriber server,

The described mobile management entity that is integrated with home subscriber server, be used to receive the certificate of the described via node that described via node sends and the graceful parameter in Di Fei-Hull of described via node, and the graceful parameter in Di Fei-Hull that sends the certificate of mobile management entity and described mobile management entity is to described via node; The described shared key of the graceful calculation of parameter in Di Fei-Hull according to graceful parameter in the Di Fei-Hull of described via node and described mobile management entity; Non-Access Stratum key according to described shared cipher key calculation obtains carries out the control of Non-Access Stratum safe mode with described via node;

Described donor base station is used to obtain the described Access Layer key that is integrated with the mobile management entity of home subscriber server based on described shared cipher key calculation, according to described Access Layer key, carries out the control of Access Layer safe mode with described via node.

In the process that Radio Resource control connection between via node and donor base station is set up and/or radio bearer is set up, send the graceful parameter in Di Fei-Hull of the certificate and the described via node of described via node to described donor base station, so that described donor base station authenticates described via node according to the certificate of described via node;

If described via node and described donor base station authentication success, then according to Di Fei-Hull graceful calculation of parameter authenticate key AK of graceful parameter in the Di Fei-Hull of described via node and described donor base station;

The temporary key KeNB that described authenticate key AK is shared as described via node and described donor base station, and, carry out the control of Access Layer safe mode with described donor base station based on described temporary key KeNB.

The embodiment of the invention also provides a kind of via node, comprising:

Sending module, be used for the process that the Radio Resource control connection is set up and/or radio bearer is set up between via node and donor base station, send the graceful parameter in Di Fei-Hull of the certificate and the described via node of described via node to described donor base station, so that described donor base station authenticates described via node according to the certificate of described via node;

If computing module is used for described via node and described donor base station authentication success, then Di Fei-Hull graceful calculation of parameter authenticate key AK of the described donor base station that receives according to the graceful parameter in the Di Fei-Hull of described via node and described receiver module;

Module is set up in carrying, the described authenticate key AK that is used for described computing module is calculated is as described via node and the shared temporary key KeNB of described donor base station, and, carry out the control of Access Layer safe mode with described donor base station based on described temporary key KeNB.

The embodiment of the invention also provides a kind of radio node networking system, comprising: donor base station and aforesaid via node,

Described donor base station, be used to receive the certificate of the described via node that described via node sends and the graceful parameter in Di Fei-Hull of described via node, and the graceful parameter in Di Fei-Hull that sends the certificate of described donor base station and described donor base station is to described via node; The described authenticate key AK of the graceful calculation of parameter in Di Fei-Hull according to graceful parameter in the Di Fei-Hull of described via node and described donor base station; The temporary key KeNB that described authenticate key AK is shared as described via node and described donor base station, and, carry out the control of Access Layer safe mode with described via node according to described temporary key KeNB.

After the process of finishing between via node and the donor base station that the Radio Resource control connection is set up and radio bearer is set up, send the related initial negotiation request message of internet cryptographic key exchanging safety to described donor base station, and the related initial negotiation response message of the internet cryptographic key exchanging safety that receives described donor base station answer, with the graceful parameter in Di Fei-Hull of graceful parameter in the Di Fei-Hull that exchanges described via node and described donor base station, the graceful parameter in described Di Fei-Hull is used to consult the safeguard protection alliance between described via node and the described donor base station;

Send the Internet Key Exchange authentication request message to described donor base station, carry the information of the certificate of the described donor base station of request in the described the Internet Key Exchange authentication request message;

Receive the Internet Key Exchange authentication response message of the certificate that carries described donor base station that described donor base station returns, and according to the certificate of described donor base station described donor base station is authenticated, also carry the information of the certificate of the described via node of request in the described the Internet Key Exchange authentication response message;

Send the Internet Key Exchange authentication response message of the certificate that carries described via node to described donor base station, so that described donor base station authenticates described via node according to the certificate of described via node.

The embodiment of the invention also provides a kind of via node, comprising:

The parameter Switching Module, be used for after the process of finishing between via node and the donor base station that the Radio Resource control connection is set up and radio bearer is set up, send the related initial negotiation request message of internet cryptographic key exchanging safety to described donor base station, and the related initial negotiation response message of the internet cryptographic key exchanging safety that receives described donor base station answer, with the graceful parameter in Di Fei-Hull of graceful parameter in the Di Fei-Hull that exchanges described via node and described donor base station, the graceful parameter in described Di Fei-Hull is used to consult the safeguard protection alliance between described via node and the described donor base station;

First sending module is used for sending the Internet Key Exchange authentication request message to described donor base station, carries the information of the certificate of the described donor base station of request in the described the Internet Key Exchange authentication request message;

Receive authentication module, be used to receive the Internet Key Exchange authentication response message of the certificate that carries described donor base station that described donor base station returns, and according to the certificate of described donor base station described donor base station is authenticated, also carry the information of the certificate of the described via node of request in the described the Internet Key Exchange authentication response message;

Second sending module is used for sending to described donor base station the Internet Key Exchange authentication response message of the certificate that carries described via node, so that described donor base station authenticates described via node according to the certificate of described via node.

Described donor base station, be used to receive the related initial negotiation request message of described internet cryptographic key exchanging safety that described via node sends, and return the related initial negotiation response message of described internet cryptographic key exchanging safety to described via node, with the graceful parameter in Di Fei-Hull of graceful parameter in the Di Fei-Hull that exchanges described via node and described donor base station, the graceful parameter in described Di Fei-Hull is used to consult the safeguard protection alliance between described via node and the described donor base station; Receive the described the Internet Key Exchange authentication request message that described via node sends, carry the information of the certificate of the described donor base station of request in the described the Internet Key Exchange authentication request message; And return the described the Internet Key Exchange authentication response message of the certificate that carries described donor base station to described via node, also carry the information of the certificate of the described via node of request in the described the Internet Key Exchange authentication response message; Receive the described the Internet Key Exchange authentication response message of the certificate that carries described via node of described via node transmission, and described via node is authenticated according to the certificate of described via node.

By above technical scheme as can be known, the radio node method of network entry of the embodiment of the invention, system and via node, by between via node and donor base station or home subscriber server or mobile management entity, carrying certificate in the interactive messages, carry out the authentication between via node and donor base station or home subscriber server or the mobile management entity, and DH parameter by exchanging between via node and donor base station or home subscriber server or the mobile management entity, shared key when compute classes is similar to the subscriber equipment networking, the radio bearer of finally finishing between via node and the donor base station is set up, thereby realize when via node networks authentication method, and it is safer to make that the network side via node networks based on certificate.

Description of drawings

Fig. 1 is the schematic flow sheet of radio node method of network entry first embodiment of the present invention;

Fig. 2 is the signaling process figure of radio node method of network entry second embodiment of the present invention;

Fig. 3 is the signaling process figure of radio node method of network entry the 3rd embodiment of the present invention;

Fig. 4 is the structural representation of via node first embodiment of the present invention;

Fig. 5 is the structural representation of radio node networking first embodiment of system of the present invention;

Fig. 6 is the schematic flow sheet of radio node method of network entry the 4th embodiment of the present invention;

Fig. 7 is the signaling process figure of radio node method of network entry the 5th embodiment of the present invention;

Fig. 8 is the structural representation of via node second embodiment of the present invention;

Fig. 9 is the structural representation of radio node networking second embodiment of system of the present invention;

Figure 10 is the schematic flow sheet of radio node method of network entry the 6th embodiment of the present invention;

Figure 11 is the modern flow chart of the letter of radio node method of network entry the 7th embodiment of the present invention;

Figure 12 is the structural representation of via node the 3rd embodiment of the present invention;

Figure 13 is the structural representation of radio node networking the 3rd embodiment of system of the present invention;

Figure 14 is the schematic flow sheet of radio node method of network entry the 8th embodiment of the present invention;

Figure 15 is the signaling process figure of radio node method of network entry the 9th embodiment of the present invention;

Figure 16 is the signaling process figure of radio node method of network entry the tenth embodiment of the present invention;

Figure 17 is the signaling process figure of radio node method of network entry the 11 embodiment of the present invention;

Figure 18 is the structural representation of via node the 4th embodiment of the present invention;

Figure 19 is the structural representation of radio node networking the 4th embodiment of system of the present invention;

Figure 20 is the schematic flow sheet of radio node method of network entry the 12 embodiment of the present invention;

Figure 21 is the structural representation of via node the 5th embodiment of the present invention;

Figure 22 is the structural representation of radio node networking the 5th embodiment of system of the present invention.

Embodiment

Below in conjunction with the accompanying drawing in the embodiment of the invention, the technical scheme in the embodiment of the invention is clearly and completely described, obviously, described embodiment only is the present invention's part embodiment, rather than whole embodiment.Based on the embodiment among the present invention, those of ordinary skills belong to the scope of protection of the invention not making the every other embodiment that is obtained under the creative work prerequisite.

Fig. 1 is the schematic flow sheet of radio node method of network entry first embodiment of the present invention.As shown in Figure 1, comprise the steps:

Step 101, at via node (Relay Node, be called for short RN) and be integrated with home subscriber server (Home Subscriber Server, abbreviation HSS) donor base station (alms giver's enhancement mode Node B, Dorner Node B, abbreviation DeNB) Radio Resource control (the Radio ResourceControl between, be called for short RRC) connect and set up in the process, send the certificate of RN and graceful (the Diffie Hell-man in Di Fei-Hull of RN to DeNB, be called for short DH) parameter, so that DeNB authenticates RN according to the certificate of RN.

Step 102, RN receive the certificate of the DeNB that DeNB sends and the DH parameter of DeNB, and according to the certificate of DeNB DeNB are authenticated.

In above-mentioned steps 101 and the step 102, RN and DeNB are sent to the opposite end with the certificate of himself respectively, so that realize between RN and the DeNB authentication based on certificate.

Step 103, if RN and DeNB authentication success, then according to the DH parameter of RN and the DH calculation of parameter foundation key K of DeNB.

When this foundation key K is similar to UE and networks traditional LTE, the foundation key K that the global Subscriber Identity Module of UE carried in (Universal Subscriber Identity Module is called for short USIM).In this step 103, K=KDF (K _DH); In addition, DeNB also can promptly also adopt same algorithm to generate this foundation key K in the DeNB side according to the DH parameter of RN and this foundation key of DH calculation of parameter K of DeNB.

Step 104, based on this foundation key K, with mobile management entity (Mobile ManagementEntity, be called for short MME) authenticate and key agreement (Authentication and KeyAgreement, be called for short AKA), carry out Non-Access Stratum (Non-Access Stratum is called for short NAS) safe mode control (Security Mode Control with MME, be called for short SMC), and carry out Access Layer (Access Stratum, be called for short AS) SMC with DeNB, set up the radio bearer between RN and the DeNB.

In this step 104, because the RN side has all produced foundation key K with the DeNB side that is integrated with HSS, the follow-up authentication vector that calculates according to foundation key K, carry out the AKA process between RN and the MME, the Non-Access Stratum key that calculates according to foundation key K, carry out NAS SMC process, and the Access Layer key that calculates according to foundation key K, carry out the process of the AS SMC between RN and the DeNB, said process is similar to the network process of traditional LTE of UE, UE among the similar traditional LTE of RN has finished the process of RN networking authentication and safe mode foundation, does not repeat them here.

The radio node method of network entry that present embodiment provides, set up in the process by connecting at RRC, at RN be integrated with between the DeNB of HSS function and carry certificate in the interactive messages, carry out the authentication between RN and the DeNB, and DH parameter by exchanging between RN and the DeNB, the foundation key K that carries in the usim card when compute classes is similar to the UE networking, the radio bearer of finally having finished between RN and the DeNB is set up, thereby realize when RN networks authentication method, and it is safer to make that network side RN networks based on certificate.

Fig. 2 is the signaling process figure of radio node method of network entry second embodiment of the present invention.In the present embodiment, DeNB and HSS are integrated on the same entity, RN is in setting up the RRC connection procedure, utilize idle message to carry certificate and key agreement parameter, between RN and DeNB/HSS, negotiate foundation key K, RN adopts AKA mode and MME to authenticate mutually based on this foundation key K then, and the network SMC flow process of traditional LTE of the complete and existing UE of follow-up SMC flow process is consistent.As shown in Figure 2, this radio node method of network entry comprises the steps:

Step 201, RN send RRC to the DeNB that is integrated with the HSS function and connect and set up request message, and this RRC connects and sets up the certificate that carries RN in the request message and the information such as DH parameter of RN, so that DeNB authenticates RN according to the certificate of RN.

Connect to set up at this RRC and can also carry authentication (AUTH) parameter in the request message, this AUTH parameter is used for proving knows the relevant secret with the ID of entity own, simultaneously to carrying out integrity protection with current packet before.

After step 202, DeNB receive that request message is set up in the RRC connection, can send the RRC connection to the RN that sends this message and set up message, this RRC connects and sets up the certificate that carries DeNB in the message and the information such as DH parameter of DeNB, with the certificate according to DeNB DeNB is authenticated.

Connect to set up in the message at this RRC and can also carry the AUTH parameter, this AUTH parameter is used for proving knows the relevant secret with the ID of entity own, simultaneously to carrying out integrity protection with current packet before.In this step 202, the HSS that is integrated on the DeNB can also distribute an international mobile subscriber identity (International Mobile Subscriber Identity for RN, be called for short IMSI), if distributed, IMSI also can be carried at aforementioned RRC and connect and set up message and send to RN together, is used for this RN of unique identification.

Step 203, RN and DeNB calculate the formation base key K respectively according to the DH parameter of the RN in two message in top step 201 and the step 202 and the DH parameter of DeNB in this locality.

When this foundation key K is similar to UE and networks traditional LTE, the foundation key K that carries in the usim card of UE.K＝KDF(K _DH)。

Step 204, RN send the RRC connection setup complete message to DeNB, carry the NAS Attach Request message in this RRC connection setup complete message.

Step 205, DeNB transmit the NAS Attach Request message of RN to MME.

That step 206, MME discovery are adhered to is RN, starts the AKA verification process, at first sends authentication data request message to HSS.

Step 207, HSS can be sent to MME according to the Ciphering Key that this foundation key K calculates with it, and this Ciphering Key can comprise { RAND, XRES, KASME, AUTN}.

After step 208, MME get access to Ciphering Key, send authentication request, carry AUTN, the XRES of authentication usefulness and the RAND that computation key needs to RN.

Step 209, MME receive the authentication response that carries RES that returns after RN calculates, and verify the RES in this authentication response, thereby finish the AKA authentication between RN and the MME.

Step 210, carry out the negotiation of the NAS cryptographic algorithm between RN and the MME by SMC, the SMC process when UE networks traditional LTE in this SMC process and the prior art is identical.

Step 211, MME set up message to the initial context that DeNB sends RN, and this initial context is set up and carried the AS key that calculates in the AKA verification process between RN and the MME in the message.

Step 212, carry out the negotiation of the AS confidentiality algorithm between DeNB and the RN by SMC, the SMC process when UE networks traditional LTE in this SMC process and the prior art is identical.

Step 213, the radio bearer that carries out between RN and the DeNB are set up process, so far finish RN networking authentication.

Because request message is set up in the RRC connection or RRC connects the length limited of setting up message, so in step 201, step 202, the certificate of RN and/or the certificate of DeNB also can be considered to substitute with a long shorter certificates identified in position, rather than certificate itself.RRC connects and to set up request message or RRC and connect that to set up what carry in the message be certificates identified rather than certificate itself in above-mentioned verification process, that entity that receives message need at first be finished and (the RegistrationAssociation of registration center, be called for short RA)/certificate center (Certificate Association, be called for short CA) mutual, obtain the content of the indicated certificate of certificates identified, carry out the authentication based on the content of certificate of opposite end then.

The radio node method of network entry that present embodiment provides, describe RN in detail and be integrated with the modern flow process of letter of the certificate verification between the DeNB of HSS, set up the certificate that carries RN in the request message by connecting at RRC, set up the certificate that carries DeNB in the message in the RRC connection, carry out the authentication between RN and the DeNB based on certificate, and connect by RRC between RN and the DeNB and to set up request message and is connected with RRC and sets up interacting message and exchange the DH parameter, the foundation key K that carries in the usim card when compute classes is similar to the UE networking, the radio bearer of finally finishing between RN and the DeNB is set up, thereby realize when RN networks authentication method, and it is safer to make that network side RN networks based on certificate.

Fig. 3 is the signaling process figure of radio node method of network entry the 3rd embodiment of the present invention.In the present embodiment, DeNB and HSS are integrated on the same entity, RN connects to set up at RRC and carries the required information of key agreement in the request message, and RN is placed in the RRC connection setup complete message the AUTH parameter of DeNB and carries, and connects with the RRC that sends before the checking and sets up request message.As shown in Figure 3, comprise the steps:

Step 301, RN connect the certificate that carries RN in the request message and the information such as DH parameter of RN set up at the RRC that sends to the DeNB that is integrated with the HSS function.

The DH parameter of the DH parameter of the RN that step 302, DeNB basis are received and local DeNB, calculate and obtain foundation key K, and calculate the AUTH parameter according to K, send the RRC connection to RN and set up message, the certificate that carries DeNB in the message, DH parameter and the AUTH parameter of DeNB are set up in this RRC connection, with the certificate according to DeNB DeNB are authenticated.

In this step 302, the HSS that is integrated on the DeNB can also distribute an IMSI for RN, if distributed, IMSI also can be carried at aforementioned RRC and connect and set up message and send to RN together, is used for this RN of unique identification.When this foundation key K is similar to UE and networks traditional LTE, the foundation key K that carries in the usim card of UE, K=KDF (K _DH).

Step 303, RN send the RRC connection setup complete message to DeNB, in this RRC connection setup complete message, carry the AUTH parameter of RN to DeNB, so that the RRC that DeNB finishes sending before the RN according to this value connects the authentication of setting up request message, and behind authentication success, RN is authenticated according to the certificate of RN.In this RRC connection setup complete message, also carry the NAS Attach Request message of RN.

Step 304, RN calculate the formation base key K according to the DH parameter of the RN in the message in the top step 301-step 303 and the DH parameter of DeNB in this locality.

When this foundation key K is similar to UE and networks traditional LTE, the foundation key K that carries in the usim card of UE, K=KDF (K _DH).

Step 305, DeNB transmit the NAS Attach Request message of RN to MME.

That step 306, MME discovery are adhered to is RN, starts the AKA verification process, at first sends authentication data request message to HSS.

Step 307, HSS can be sent to MME according to the Ciphering Key that this foundation key K calculates with it, and this Ciphering Key can comprise { RAND, XRES, KASME, AUTN}.

After step 308, MME get access to Ciphering Key, send authentication request, carry AUTN, the XRES of authentication usefulness and the RAND that computation key needs to RN.

Step 309, MME receive the authentication response that carries RES that returns after RN calculates, and verify the RES in this authentication response, to finish the AKA authentication between RN and the MME.

Step 310, carry out the negotiation of the NAS cryptographic algorithm between RN and the MME by SMC, the SMC process when UE networks traditional LTE in this SMC process and the prior art is identical.

Step 311, MME set up message to the initial context that DeNB sends RN, and this initial context is set up and carried the AS key that calculates in the AKA verification process between RN and the MME in the message.

Step 312, carry out the negotiation of the AS confidentiality algorithm between DeNB and the RN by SMC, the SMC process when UE networks traditional LTE in this SMC process and the prior art is identical.

Step 313, the radio bearer that carries out between RN and the DeNB are set up process, so far finish RN networking authentication.

Because request message is set up in the RRC connection or RRC connects the length limited of setting up message, so in step 301, step 302, RN certificate and/or DeNB certificate also can be considered to substitute with a long shorter certificates identified in position, rather than certificate itself.RRC connects and to set up request message or RRC link to set up what carry in the message be certificates identified rather than certificate itself in above-mentioned verification process, that entity that receives message need at first be finished mutual with RA/CA, obtain the indicated certificate of certificates identified, carry out the authentication based on certificate of opposite end then.

The radio node method of network entry that present embodiment provides, describe RN in detail and be integrated with the signaling process of the certificate verification between the DeNB of HSS, present embodiment has obtained the roughly the same beneficial effect with radio node method of network entry second embodiment, based on the authentication method of certificate, it is safer to make that network side RN networks when having realized the RN networking.

Fig. 4 is the structural representation of via node first embodiment of the present invention.As shown in Figure 4, this via node comprises: module 44 is set up in sending module 41, reception authentication module 42, computing module 43 and carrying.Wherein, sending module 41, be used for setting up process in via node and the Radio Resource control connection that is integrated with the donor base station of home subscriber server, send the graceful parameter in Di Fei-Hull of the certificate and the described via node of described via node to described donor base station, so that described donor base station authenticates described via node according to the certificate of described via node; Receive authentication module 42, be used to receive the certificate of the described donor base station that described donor base station sends and the graceful parameter in Di Fei-Hull of described donor base station, and described donor base station is authenticated according to the certificate of described donor base station; If computing module 43 is used for described via node and described donor base station authentication success, then Di Fei-Hull graceful calculation of parameter foundation key K of the described donor base station that receives according to the graceful parameter in the Di Fei-Hull of described via node and described receiver module 42; Module 44 is set up in carrying, is used for the described foundation key K that calculates based on described computing module 43, authenticates and key agreement with mobile management entity; And be used for carrying out the control of Non-Access Stratum safe mode with described mobile management entity, carry out the control of Access Layer safe mode, the radio bearer between foundation and the described donor base station with described donor base station.

The via node that present embodiment provides, specific implementation radio node method of network entry sees said method embodiment for details, set up in the process by connecting at RRC, at RN be integrated with between the DeNB of HSS function and carry certificate in the interactive messages, carry out the authentication between RN and the DeNB, and DH parameter by exchanging between RN and the DeNB, the foundation key K that carries in the usim card when compute classes is similar to the UE networking, the radio bearer of finally finishing between RN and the DeNB is set up, thereby realize when RN networks authentication method, and it is safer to make that network side RN networks based on certificate.

Fig. 5 is the structural representation of radio node networking first embodiment of system of the present invention.As shown in Figure 5, comprising: mobile management entity 51, the donor base station 52 that is integrated with home subscriber server and via node 53.Described in described via node 53 as above-mentioned via node first embodiment, do not repeat them here.The described donor base station 52 that is integrated with home subscriber server, be used to receive the certificate of the described via node that described via node 53 sends and the graceful parameter in Di Fei-Hull of described via node, and the graceful parameter in Di Fei-Hull that sends the certificate of described donor base station and described donor base station is to described via node 53; The described foundation key K of the graceful calculation of parameter in Di Fei-Hull according to graceful parameter in the Di Fei-Hull of described via node and described donor base station; Access Layer key according to described foundation key K calculates carries out the control of Access Layer safe mode with described via node 53.Described mobile management entity 51 is used to obtain the described donor base station 52 that is integrated with home subscriber server based on the authentication vector that described foundation key K calculates, and according to described authentication vector, authenticates and key agreement with described via node 53; And be used for the Non-Access Stratum key that calculates according to described foundation key K, carry out the control of Non-Access Stratum safe mode with described via node 53.

The radio node networking system that present embodiment provides, specific implementation radio node method of network entry sees said method embodiment for details, set up in the process by connecting at RRC, at RN be integrated with between the DeNB of HSS function and carry certificate in the interactive messages, carry out the authentication between RN and the DeNB, and DH parameter by exchanging between RN and the DeNB, the foundation key K that carries in the usim card when compute classes is similar to the UE networking, the radio bearer of finally finishing between RN and the DeNB is set up, thereby realize when RN networks authentication method, and it is safer to make that network side RN networks based on certificate.

Fig. 6 is the schematic flow sheet of radio node method of network entry the 4th embodiment of the present invention.As shown in Figure 6, comprise the steps:

Step 601, be connected in the process of foundation with RRC between the DeNB, send the certificate of RN and the DH parameter of RN to HSS, so that HSS authenticates RN according to the certificate of RN by DeNB at RN.

Step 602, RN receive the certificate of the HSS that HSS sends and the DH parameter of HSS by DeNB, and according to the certificate of HSS HSS are authenticated.

In above-mentioned steps 601 and the step 602, RN and HSS are sent to the opposite end with the certificate of himself respectively, so that realize between RN and the HSS authentication based on certificate.

Step 603, if RN and HSS authentication success, then according to the DH parameter of RN and the DH calculation of parameter foundation key K of HSS.

When this foundation key K is similar to UE and networks traditional LTE, the foundation key K that the global Subscriber Identity Module of UE carried in (Universal SubscriberIdentity Module is called for short USIM).In this step 603, K=KDF (K _DH); In addition, HSS also can promptly also adopt same algorithm to generate this foundation key K in the DeNB side according to the DH parameter of RN and this foundation key of DH calculation of parameter K of HSS.

Step 604, based on this foundation key K, carry out AKA with MME; Carry out NASSMC with MME, and carry out AS SMC, set up the radio bearer between RN and the DeNB with DeNB.

In this step 604, because the RN side has produced foundation key K, the follow-up authentication vector that calculates according to foundation key K, carry out the AKA process between RN and the MME, the Non-Access Stratum key that calculates according to foundation key K, carry out NAS SMC process, and the Access Layer key that calculates according to foundation key K, carry out the process of the AS SMC between RN and the DeNB, said process is similar to the network process of traditional LTE of UE, UE among the similar traditional LTE of RN has finished the process of RN networking authentication and safe mode foundation, does not repeat them here.

The radio node method of network entry that present embodiment provides, set up in the process by connecting at RRC, between RN and HSS, carry certificate in the interactive messages, carry out the authentication between RN and the HSS, and the DH parameter by exchanging between RN and the HSS, the foundation key K that carries in the usim card when compute classes is similar to the UE networking, the radio bearer of finally finishing between RN and the DeNB is set up, thereby realize when RN networks authentication method, and it is safer to make that network side RN networks based on certificate.

Fig. 7 is the signaling process figure of radio node method of network entry the 5th embodiment of the present invention.In the present embodiment, HSS is a physical entity independently, rather than is positioned on the DeNB, and RN and HSS be still by certificate verification, and negotiates foundation key K, and DeNB transmits corresponding message in the middle of RN and HSS.As shown in Figure 7, this radio node method of network entry comprises the steps:

Step 701, RN send RRC to DeNB and connect and set up request message, and this RRC connects information such as the DH parameter of setting up the certificate that carries RN in the request message, RN and AUTH parameter.

This RRC that step 702, DeNB will receive connects information such as the DH parameter of the certificate of setting up the RN in the request message, RN and AUTH parameter and is transmitted to HSS, so that HSS authenticates RN according to the certificate of RN.

Step 703, HSS will carry the certificate of HSS, the DH parameter of HSS and the message of AUTH parameter and send to DeNB.

After step 704, DeNB receive the DH parameter and AUTH parameter of certificate, HSS of HSS, can send the RRC connection to RN and set up message, the certificate that carries HSS in the message, DH parameter and the AUTH parameter of HSS are set up in this RRC connection, with the certificate according to HSS HSS are authenticated.

In this step, HSS can distribute an IMSI for RN, if distributed, DeNB is also placed in RRC with this IMSI and connects to set up and send to RN in the message, is used for this RN of unique identification.

Step 705, RN and HSS calculate the formation base key K respectively according to the DH parameter of the RN in the message in the top step 501-step 504 and the DH parameter of HSS in this locality.

Step 706, RN send the RRC connection setup complete message to DeNB, carry the NAS Attach Request message in this RRC connection setup complete message.

Step 707, DeNB transmit the NAS Attach Request message of RN to MME.

That step 708, MME discovery are adhered to is RN, starts the AKA verification process, at first sends authentication data request message to HSS.

Step 709, HSS can be sent to MME according to the Ciphering Key that this foundation key K calculates with it, and this Ciphering Key can comprise { RAND, XRES, KASME, AUTN}.

After step 710, MME get access to Ciphering Key, send authentication request, carry AUTN, the XRES of authentication usefulness and the RAND that computation key needs to RN.

Step 711, MME receive the authentication response that carries RES that returns after RN calculates, and verify the RES in this authentication response, to finish the AKA authentication between RN and the MME.

Step 712, carry out the negotiation of the NAS cryptographic algorithm between RN and the MME by SMC, the SMC process when UE networks traditional LTE in this SMC process and the prior art is identical.

Step 713, MME set up message to the initial context that DeNB sends RN, and this initial context is set up and carried the AS key that calculates in the AKA verification process between RN and the MME in the message.

Step 714, carry out the negotiation of the AS confidentiality algorithm between DeNB and the RN by SMC, the SMC process when UE networks traditional LTE in this SMC process and the prior art is identical.

Step 715, the radio bearer that carries out between RN and the DeNB are set up process, so far finish RN networking authentication.

Because request message is set up in the RRC connection or RRC connects the length limited of setting up message, so in step 701-step 704, the certificate of RN and/or the certificate of HSS also can be considered to substitute with a long shorter certificates identified in position, rather than certificate itself.RRC connects and to set up request message or RRC link to set up what carry in the message be certificates identified rather than certificate itself in above-mentioned verification process, that entity that receives message need at first be finished mutual with RA/CA, obtain the indicated certificate of certificates identified, carry out the authentication based on certificate of opposite end then.

The radio node method of network entry that present embodiment provides, DeNB and HSS are two discrete entities, present embodiment is described the signaling process of the certificate verification between RN and the HSS in detail, set up the certificate that carries RN in the request message by connecting at RRC, set up the certificate that carries HSS in the message in the RRC connection, carry out the authentication between RN and the HSS based on certificate, and connect by RRC between RN and the HSS and to set up request message and be connected the mutual exchange DH parameter of setting up message with RRC, the foundation key K that carries in the usim card when compute classes is similar to the UE networking, the radio bearer of finally finishing between RN and the DeNB is set up, thereby realize when RN networks authentication method, and it is safer to make that network side RN networks based on certificate.

Fig. 8 is the structural representation of via node second embodiment of the present invention.As shown in Figure 8, this via node comprises: module 84 is set up in sending module 81, reception authentication module 82, computing module 83 and carrying.Wherein, sending module 81, the Radio Resource control connection that is used between via node and donor base station is set up process, send the graceful parameter in Di Fei-Hull of the certificate and the described via node of described via node by described donor base station to home subscriber server, so that described home subscriber server authenticates described via node according to the certificate of described via node; Receive authentication module 82, be used for receiving the certificate of the described home subscriber server that described home subscriber server sends and the graceful parameter in Di Fei-Hull of described home subscriber server, and described home subscriber server authenticated according to the certificate of described home subscriber server by described donor base station; Computing module 83, be used for if described via node and described home subscriber server authentication success, then Di Fei-Hull graceful calculation of parameter foundation key K of the described home subscriber server that receives according to the graceful parameter in the Di Fei-Hull of described via node and described receiver module 82; Module 84 is set up in carrying, is used for the described foundation key K that calculates based on described computing module 83, authenticates and key agreement with mobile management entity; And be used for carrying out the control of Non-Access Stratum safe mode with described mobile management entity, carry out the control of Access Layer safe mode, the radio bearer between foundation and the described donor base station with described donor base station.

The via node that present embodiment provides, specific implementation radio node method of network entry sees said method embodiment for details, set up in the process by connecting at RRC, between RN and HSS, carry certificate in the interactive messages, carry out the authentication between RN and the HSS, and DH parameter by exchanging between RN and the HSS, the foundation key K that carries in the usim card when compute classes is similar to the UE networking, the radio bearer of finally finishing between RN and the DeNB is set up, thereby realize when RN networks authentication method, and it is safer to make that network side RN networks based on certificate.

Fig. 9 is the structural representation of radio node networking second embodiment of system of the present invention.As shown in Figure 9, comprising: mobile management entity 91, home subscriber server 92, donor base station 93 and via node 94.Described in described via node 94 as above-mentioned via node second embodiment, do not repeat them here.Described home subscriber server 92, be used to receive the certificate of the described via node that described via node 94 sends and the graceful parameter in Di Fei-Hull of described via node, and the graceful parameter in Di Fei-Hull that sends the certificate of described home subscriber server and described home subscriber server is to described via node 94; The described foundation key K of the graceful calculation of parameter in Di Fei-Hull according to graceful parameter in the Di Fei-Hull of described via node and described home subscriber server; Described mobile management entity 91 is used to obtain described home subscriber server 92 based on the authentication vector that described foundation key K calculates, and according to described authentication vector, authenticates and key agreement with described via node 94; And be used for the Non-Access Stratum key that calculates according to described foundation key K, carry out the control of Non-Access Stratum safe mode with described via node 94; Described donor base station 93 is used to obtain the Access Layer key that described home subscriber server 92 calculates based on described foundation key K, according to described Access Layer key, carries out the control of Access Layer safe mode with described via node 94.

The radio node networking system that present embodiment provides, specific implementation radio node method of network entry sees said method embodiment for details, set up in the process by connecting at RRC, between RN and HSS, carry certificate in the interactive messages, carry out the authentication between RN and the HSS, and DH parameter by exchanging between RN and the HSS, the foundation key K that carries in the usim card when compute classes is similar to the UE networking, the radio bearer of finally finishing between RN and the DeNB is set up, thereby realize when RN networks authentication method, and it is safer to make that network side RN networks based on certificate.

Figure 10 is the schematic flow sheet of radio node method of network entry the 6th embodiment of the present invention.HSS and MME are integrated on the same entity in the present embodiment.As shown in figure 10, comprise the steps:

Step 1001, finish RN and be connected foundation with RRC between the DeNB.

Step 1002, RN send the Attach Request message of DH parameter of the certificate that carries RN and RN to the MME that is integrated with HSS, so that MME authenticates RN according to the certificate of RN.

Step 1003, RN receive the non-access layer information of the DH parameter of certificate that carries MME that MME sends and MME, and according to the certificate of MME MME are authenticated.

Step 1004, if RN and MME authentication success, then calculate and share key according to the DH of the DH parameter of RN and MME.

Wherein, MME is according to the DH parameter of RN and the described shared key of DH calculation of parameter of MME.

Step 1005, based on shared key, RN and MME carry out NAS SMC, and carry out AS SMC with DeNB, set up the radio bearer between RN and the DeNB.

According to sharing the Non-Access Stratum key that cipher key calculation obtains, carry out NAS SMC process, and according to sharing the Access Layer key that cipher key calculation obtains, carry out the process of the AS SMC between RN and the DeNB, said process is similar to the network process of traditional LTE of UE, UE among the similar traditional LTE of RN has finished the process of RN networking authentication and safe mode foundation, does not repeat them here.

The radio node method of network entry that present embodiment provides, by at RN be integrated with between the MME of HSS and carry certificate in the interactive messages, carry out the authentication between RN and the MME, and DH parameter by exchanging between RN and the MME, the shared key that carries in the usim card when compute classes is similar to the UE networking, the radio bearer of finally finishing between RN and the DeNB is set up, thus when realizing that RN networks based on the authentication method of certificate, and it is safer to make that network side RN networks.

Figure 11 is the signaling process figure of radio node method of network entry the 7th embodiment of the present invention.Present embodiment is the modern flow process of concrete letter of above-mentioned the 6th embodiment, and HSS and MME are integrated on the same entity.As shown in figure 11, comprise the steps:

Step 1101, RN initiate the RRC connection to DeNB and set up request message.

Step 1102, DeNB send the RRC connection to RN and set up message.

Step 1103, RN reply the RRC connection setup complete message to DeNB.

Step 1104, RN send NAS Attach Request message, the DH parameter of carrying certificate and the RN of RN in this NAS Attach Request message to the MME that is integrated with HSS.

Step 1105, MME send the IMSI request message to RN, carry the certificate of MME, the DH parameter of MME and the AUTH parameter that is used to authenticate in this IMSI request message.

In this step 1105, the HSS that is integrated on the MME can also distribute an IMSI for RN, if distributed, IMSI also can be carried in the aforementioned IMSI request message and send to RN together, is used for this RN of unique identification.

Step 1106, RN receive the authentication of finishing behind the certificate of MME MME, carry the AUTN parameter that is used to authenticate then and be sent to MME in the IMSI response message, so that MME carries out certificate verification according to the certificate of the RN that sends in the step 1104 to RN.

Step 1107, authentication both sides RN and MME respectively in this locality according to the DH parameter of RN and the DH parameter of MME, calculate and share key K 1, K1=KDF (K _DH).

Finish follow-up security process based on this shared key K 1 between RN and the MME, specifically can include two kinds of schemes:

A) the foundation key K in the time of will sharing key K 1 and authenticate as AKA:

Step 1108a, the MME that is integrated with the HSS function can calculate Ciphering Key according to this foundation key K, and this Ciphering Key can comprise { RAND, XRES, KASME, AUTN}.

B) will share key K 1 as root key KASME:

Step 1108b, the MME that is integrated with the HSS function obtain comprising the Ciphering Key of this root key KASME from HSS, and this Ciphering Key can comprise { RAND, XRES, KASME, AUTN}.

After step 1109, MME get access to Ciphering Key, send authentication request, carry AUTN, the XRES of authentication usefulness and the RAND that computation key needs to RN.

Step 1110, MME receive the authentication response that carries RES that returns after RN calculates, and verify the RES in this authentication response, to finish the AKA authentication between RN and the MME.

Step 1111, carry out the negotiation of the NAS cryptographic algorithm between RN and the MME by SMC, the SMC process when UE networks traditional LTE in this SMC process and the prior art is identical.

Step 1112, MME set up message to the initial context that DeNB sends RN, and this initial context is set up and carried the AS key that calculates in the AKA verification process between RN and the MME in the message.

Step 1113, carry out the negotiation of the AS confidentiality algorithm between DeNB and the RN by SMC, the SMC process when UE networks traditional LTE in this SMC process and the prior art is identical.

Step 1114, the radio bearer that carries out between RN and the DeNB are set up process, so far finish RN networking authentication.

Because the length limited of Attach Request message or IMSI request message, so, in step 1104-step 1105, the certificate of RN and/or the certificate of MME also can be considered to substitute with a long shorter certificates identified in position, rather than certificate itself, the entity that receives message so need at first be finished mutual with RA/CA, obtains the content of the indicated certificate of certificates identified, carries out the authentication based on the content of certificate of opposite end then.

The radio node method of network entry that present embodiment provides, describe RN in detail and be integrated with the signaling process of the certificate verification between the MME of HSS, similar with above-mentioned radio node method of network entry the 6th embodiment, can realize when RN networks authentication method equally, and it is safer to make that network side RN networks based on certificate.

Figure 12 is the structural representation of via node the 3rd embodiment of the present invention.As shown in figure 12, this via node comprises: connection is set up module 121, sending module 122, reception authentication module 123, computing module 124 and carrying and is set up module 125.Wherein, connect and set up module 121, be used to finish the Radio Resource control connection foundation of via node and donor base station; Sending module 122, the Attach Request message of the graceful parameter in Di Fei-Hull that is used to send the certificate that carries described via node and described via node is to the mobile management entity that is integrated with home subscriber server, so that described mobile management entity authenticates described via node according to the certificate of described via node; Receive authentication module 123, be used to receive the non-access layer information of the graceful parameter in Di Fei-Hull of certificate that carries mobile management entity that described mobile management entity sends and described mobile management entity, and described mobile management entity authenticated according to the certificate of described mobile management entity; Computing module 124, if be used for described via node and described mobile management entity authentication success, then the graceful calculation of parameter in Di Fei-Hull of the described mobile management entity that receives according to the graceful parameter in the Di Fei-Hull of described via node and described receiver module 123 is shared key; Module 125 is set up in carrying, be used for the described shared key that calculates based on described computing module 124, carry out the control of Non-Access Stratum safe mode with described mobile management entity, and carry out the control of Access Layer safe mode, the radio bearer between foundation and the described donor base station with described donor base station.

The via node that present embodiment provides, specific implementation radio node method of network entry sees said method embodiment for details, by at RN be integrated with between the MME of HSS and carry certificate in the interactive messages, carry out the authentication between RN and the MME, and DH parameter by exchanging between RN and the MME, the shared key that carries in the usim card when compute classes is similar to the UE networking, the radio bearer of finally finishing between RN and the DeNB is set up, thereby realize when RN networks authentication method, and it is safer to make that network side RN networks based on certificate.

Figure 13 is the structural representation of radio node networking the 3rd embodiment of system of the present invention.As shown in figure 13, comprising: the mobile management entity 131, donor base station 132 and the via node 133 that are integrated with home subscriber server.Described in described via node 133 as above-mentioned via node the 3rd embodiment, do not repeat them here.The described mobile management entity 131 that is integrated with home subscriber server, be used to receive the certificate of the described via node that described via node 133 sends and the graceful parameter in Di Fei-Hull of described via node, and the graceful parameter in Di Fei-Hull that sends the certificate of mobile management entity and described mobile management entity is to described via node 133; The described shared key of the graceful calculation of parameter in Di Fei-Hull according to graceful parameter in the Di Fei-Hull of described via node and described mobile management entity; Non-Access Stratum key according to described shared cipher key calculation obtains carries out the control of Non-Access Stratum safe mode with described via node 133; Described donor base station 132 is used to obtain the described Access Layer key that is integrated with the mobile management entity of home subscriber server based on described shared cipher key calculation, according to described Access Layer key, carries out the control of Access Layer safe mode with described via node 133.

The radio node networking system that present embodiment provides, specific implementation radio node method of network entry sees said method embodiment for details, by at RN be integrated with between the MME of HSS and carry certificate in the interactive messages, carry out the authentication between RN and the MME, and DH parameter by exchanging between RN and the MME, the shared key that carries in the usim card when compute classes is similar to the UE networking, the radio bearer of finally finishing between RN and the DeNB is set up, thereby realize when RN networks authentication method, and it is safer to make that network side RN networks based on certificate.

Figure 14 is the schematic flow sheet of radio node method of network entry the 8th embodiment of the present invention.As shown in figure 14, comprise the steps:

Step 1401, the RRC between RN and DeNB connect set up and/or process that radio bearer is set up in, send the certificate of RN and the DH parameter of RN to DeNB, so that DeNB authenticates RN according to the certificate of RN.

Step 1402, the certificate that receives the DeNB that DeNB sends and the DH parameter of DeNB, and according to the certificate of DeNB DeNB is authenticated.

In this step 1401-step 1402, RN and DeNB are sent to the opposite end with the certificate of himself respectively, so that realize the certificate verification between RN and the DeNB.

Step 1403, if RN and DeNB authentication success, then according to the DH parameter of RN and the DH calculation of parameter authenticate key AK of DeNB.

Wherein, DeNB is according to the DH parameter of RN and this authenticate key of DH calculation of parameter AK of DeNB.

Step 1404, the temporary key KeNB that this authenticate key AK is shared as RN and DeNB, and, carry out AS SMC with DeNB based on this temporary key KeNB.

The radio node method of network entry that present embodiment provides, connect by the RRC between RN and DeNB in the process of foundation and/or radio bearer foundation, between RN and DeNB, carry certificate in the interactive messages, carry out the authentication between RN and the DeNB, and DH parameter by exchanging between RN and the DeNB, compute classes is similar to the temporary key KeNB that calculates when UE networks, the radio bearer of finally finishing between RN and the DeNB is set up, thereby realize when RN networks authentication method, and it is safer to make that network side RN networks based on certificate.

Figure 15 is the signaling process figure of radio node method of network entry the 9th embodiment of the present invention.In the present embodiment; RN, DeNB need not to carry out letter the present alternately to carry out the calculating of foundation key K with HSS; only need be by certificate verification between RN and DeNB; and between RN and DeNB, carry out the calculating of temporary key KeNB, and utilize the temporary key KeNB protection RN of generation and the AS message between the DeNB.As shown in figure 15, comprise the steps:

Step 1501, the RN DeNB under it initiates the RRC connection and sets up request message, this RRC connects information such as the DH parameter of setting up the certificate that carries RN in the request message, random number (nonce) 1, RN and AUTH parameter, so that DeNB authenticates RN according to the certificate of RN.Wherein random number is in order to make the shared key that subsequent calculations obtains all different each time.

The certificate of RN also can be considered to substitute with a long shorter certificates identified in position, rather than certificate itself.RRC connects that to set up what carry in the request message be certificates identified rather than certificate itself in above-mentioned steps 1501, so, also comprises: step 1501 ', RN need finish and the interacting message of RA/CA, obtains the content of the indicated certificate of certificates identified.Then, carry out the authentication based on the content of certificate of opposite end.

Step 1502, DeNB are replied RRC to RN and are connected and set up message, and this RRC connects information such as the DH parameter of setting up the certificate that carries DeNB in the message, random number (nonce) 2, DeNB and AUTH parameter, so that RN authenticates DeNB according to the certificate of DeNB.

The certificate of DeNB also can be considered to substitute with a long shorter certificates identified in position, rather than certificate itself.RRC connects that to set up what carry in the message be certificates identified rather than certificate itself in above-mentioned steps 1502, so, also comprises: step 1502 ', DeNB need finish and the interacting message of RA/CA, obtains the content of the indicated certificate of certificates identified.Then, carry out the authentication based on the content of certificate of opposite end.

Step 1503, RN and DeNB are according to the DH parameter of the RN in two message in step 1501 and the step 1502 and the DH parameter of DeNB; calculate in this locality respectively and generate authenticate key AK; and with this authenticate key AK as temporary key KeNB, calculate the encryption key of AS signaling and integrity protection key etc.

Wherein, AK=KDF (K _DH).

Step 1504, the RN DeNB under it initiates the RRC connection setup complete message, wherein carries the NAS Attach Request message.

DeNB under step 1505, the RN transmits the NAS Attach Request message to MME.

Step 1506, MME set up message to the initial context that DeNB sends this RN.

Carry out AS SMC process between DeNB under step 1507, the RN and the RN, finish the negotiation of the AS algorithm between DeNB and the RN, and activate the AS protection.

Step 1508, the radio bearer that carries out between RN and the DeNB are set up process, so far finish RN networking authentication.

Present embodiment is only realized certificate verification and the AS safeguard protection between RN and the DeNB under it, does not pay close attention to the NAS guard method.

The radio node method of network entry that present embodiment provides, describe the signaling process of the certificate verification between RN and the DeNB in detail, similar with above-mentioned radio node method of network entry the 8th embodiment, can realize when RN networks authentication method equally, and it is safer to make that network side RN networks based on certificate.

Figure 16 is the signaling process figure of radio node method of network entry the tenth embodiment of the present invention.As shown in figure 16, comprise the steps:

Step 1601, the RN DeNB under it sends the RRC connection and sets up request message.

DeNB under step 1602, the RN replys the RRC connection to RN and sets up message, finishes the connection of Random Access Channel and sets up process.

Step 1603, the RN DeNB under it sends the RRC connection setup complete message, wherein carries the NAS Attach Request message.

DeNB under step 1604, the RN is encapsulated in this NAS Attach Request message in the S1-AP message and passes to MME.

Step 1605, MME pass through S1-AP message with gateway (Serving Gateway, abbreviation S-GW) message such as address, S1-TEID, bearer quality of service (Bear QoS), safe context are issued the affiliated DeNB of RN, activation is used for the radio bearer and the S1 carrying of all activated evolved packet system (EvolvedPacket System is called for short EPS).

DeNB under step 1606, the RN sets up message with the certificate of the DeNB of oneself by the RRC radio bearer and issues RN, by RN this DeNB is authenticated, this RRC radio bearer is set up the DH parameter and the AUTH parameter that can also carry random number (nonce) l, DeNB in the message.

The certificate of DeNB also can be considered to substitute with a long shorter certificates identified in position, rather than certificate itself.To set up what carry in the message be certificates identified rather than certificate itself to the RRC radio bearer in above-mentioned steps 1606, so, also comprises: step 1606 ', DeNB need finish and the interacting message of RA/CA, obtains the content of the indicated certificate of certificates identified.Then, carry out the authentication based on the content of certificate of opposite end.

DeNB under step 1607, the RN receives the RRC radio bearer foundation of RN transmission and finishes message, this RRC radio bearer is set up DH parameter and the AUTH parameter of finishing the certificate that comprised RN in the message, random number (nonce) 2, RN, so that DeNB authenticates RN according to the certificate of RN, finish the foundation of radio bearer.

The certificate of RN also can be considered to substitute with a long shorter certificates identified in position, rather than certificate itself.To set up and to finish what carry in the message be certificates identified rather than certificate itself to the RRC radio bearer in above-mentioned steps 1607, so, also comprises: step 1607 ', RN need finish and the interacting message of RA/CA, obtains the content of the indicated certificate of certificates identified.Then, carry out the authentication based on the content of certificate of opposite end.

Step 1608, RN and DeNB are according to the DH parameter of the RN in two message in step 1606 and the step 1607 and the DH parameter of DeNB; calculate in this locality respectively and generate authenticate key AK; and with this authenticate key AK as temporary key KeNB, calculate the encryption key of AS signaling and integrity protection key etc.

Carry out AS SMC process between DeNB under step 1609, the RN and the RN, finish the negotiation of the AS algorithm between DeNB and the RN, and activate the AS protection.

Radio node method of network entry in the present embodiment is the authentication of finishing when radio bearer is set up based on certificate, needs to revise air protocol.In addition, the process of certificate verification can also be, do not send the certificate of DeNB in step 1606, and the certificate of this DeNB is to carry in the downstream message of DeNB to RN in the interaction message of step 1609, thereby realizes the authentication to DeNB.

In the present embodiment, if RN and DeNB authentification failure then trigger DeNB and initiate RRC connection dispose procedure, perhaps trigger the process of DeNB indication MME initiation, thereby the radio bearer that disconnects between RN and the DeNB connects with the RN attachment removal.

The radio node method of network entry that present embodiment provides, describe the modern flow process of letter of the certificate verification between RN and the DeNB in detail, similar with above-mentioned radio node method of network entry the 8th embodiment, can realize when RN networks authentication method equally, and it is safer to make that network side RN networks based on certificate.

Figure 17 is the signaling process figure of radio node method of network entry the 11 embodiment of the present invention.As shown in figure 17, comprise the steps:

Step 1701, the RN DeNB under it sends the RRC connection and sets up request message.

DeNB under step 1702, the RN replys the RRC connection to RN and sets up message, finishes the connection of Random Access Channel and sets up process.

Step 1703, the RN DeNB under it sends the RRC connection setup complete message, has carried the certificate of RN in this RRC connection setup complete message, is used for the authentication of the affiliated DeNB of RN to RN.Also carry DH parameter and the AUTH parameter of random number (nonce) 1, RN in this RRC connection setup complete message, wherein also carried the NAS Attach Request message.

The certificate of RN also can be considered to substitute with a long shorter certificates identified in position, rather than certificate itself.What carry in RRC connection setup complete message in the above-mentioned steps 1703 is certificates identified rather than certificate itself, so, also comprises: step 1703 ', RN need finish and the interacting message of RA/CA, obtains the content of the indicated certificate of certificates identified.Then, carry out the authentication based on the content of certificate of opposite end.

DeNB under step 1704, the RN is encapsulated in this NAS Attach Request message in the S1-AP message and passes to MME.

Step 1705, MME pass through S1-AP message with gateway (Serving Gateway, abbreviation S-GW) message such as address, S1-TEID, bearer quality of service (Bear QoS), safe context are issued the affiliated DeNB of RN, activation is used for the radio bearer and the S1 carrying of all activated evolved packet system (EvolvedPacket System is called for short EPS).

DeNB under step 1706, the RN sets up message with the certificate of the DeNB of oneself by the RRC radio bearer and issues RN, by RN this DeNB is authenticated, this RRC radio bearer is set up the DH parameter and the AUTH parameter that can also carry random number (nonce) 2, DeNB in the message.

The certificate of DeNB also can be considered to substitute with a long shorter certificates identified in position, rather than certificate itself.To set up what carry in the message be certificates identified rather than certificate itself to the RRC radio bearer in above-mentioned steps 1706, so, also comprises: step 1706 ', DeNB need finish and the interacting message of RA/CA, obtains the content of the indicated certificate of certificates identified.Then, carry out the authentication based on the content of certificate of opposite end.

Step 1707, RN and DeNB are according to the DH parameter of the RN in two message in step 1703 and the step 1706 and the DH parameter of DeNB; calculate in this locality respectively and generate authenticate key AK; and with this authenticate key AK as temporary key KeNB, calculate the encryption key of AS signaling and integrity protection key etc.

Mutual by two message in step 1703 and the step 1706, when finishing RN and networking based on the authentication of certificate.

DeNB under step 1708, the RN receives the RRC radio bearer foundation of RN transmission and finishes message, finishes the foundation of the radio bearer between RN and the DeNB.

Carry out AS SMC process between DeNB under step 1709, the RN and the RN, finish the negotiation of the AS algorithm between DeNB and the RN, and activate the AS protection.

Figure 18 is the structural representation of via node the 4th embodiment of the present invention.As shown in figure 18, this via node comprises: module 184 is set up in sending module 181, reception authentication module 182, computing module 183 and carrying.Wherein, sending module 181, be used for the process that the Radio Resource control connection is set up and/or radio bearer is set up between via node and donor base station, send the graceful parameter in Di Fei-Hull of the certificate and the described via node of described via node to described donor base station, so that described donor base station authenticates described via node according to the certificate of described via node; Receive authentication module 182, be used to receive the certificate of the described donor base station that described donor base station sends and the graceful parameter in Di Fei-Hull of described donor base station, and described donor base station is authenticated according to the certificate of described donor base station; If computing module 183 is used for described via node and described donor base station authentication success, then Di Fei-Hull graceful calculation of parameter authenticate key AK of the described donor base station that receives according to the graceful parameter in the Di Fei-Hull of described via node and described receiver module 182; Module 184 is set up in carrying, the described authenticate key AK that is used for described computing module 183 is calculated is as described via node and the shared temporary key KeNB of described donor base station, and, carry out the control of Access Layer safe mode with described donor base station based on described temporary key KeNB.In addition, mobile management entity also can carry out information interaction with via node by donor base station.

The via node that present embodiment provides, specific implementation radio node method of network entry sees said method embodiment for details, connect by the RRC between RN and DeNB in the process of foundation and/or radio bearer foundation, between RN and DeNB, carry certificate in the interactive messages, carry out the authentication between RN and the DeNB, and DH parameter by exchanging between RN and the DeNB, compute classes is similar to the temporary key KeNB that calculates when UE networks, the radio bearer of finally finishing between RN and the DeNB is set up, thereby realize when RN networks authentication method, and it is safer to make that network side RN networks based on certificate.

Figure 19 is the structural representation of radio node networking the 4th embodiment of system of the present invention.As shown in figure 19, comprising: mobile management entity 191, donor base station 192 and via node 193.Described in described via node 193 as above-mentioned via node the 4th embodiment, do not repeat them here.Mobile management entity 191 carries out information interaction by donor base station 192 and via node 193.Described donor base station 192, be used to receive the certificate of the described via node that described via node 193 sends and the graceful parameter in Di Fei-Hull of described via node, and the graceful parameter in Di Fei-Hull that sends the certificate of described donor base station and described donor base station is to described via node 193; The described authenticate key AK of the graceful calculation of parameter in Di Fei-Hull according to graceful parameter in the Di Fei-Hull of described via node and described donor base station; The temporary key KeNB that described authenticate key AK is shared as described via node and described donor base station, and, carry out the control of Access Layer safe mode with described via node 193 according to described temporary key KeNB.

The radio node networking system that present embodiment provides, specific implementation radio node method of network entry sees said method embodiment for details, connect by the RRC between RN and DeNB in the process of foundation and/or radio bearer foundation, between RN and DeNB, carry certificate in the interactive messages, carry out the authentication between RN and the DeNB, and DH parameter by exchanging between RN and the DeNB, compute classes is similar to the temporary key KeNB that calculates when UE networks, the radio bearer of finally finishing between RN and the DeNB is set up, thereby realize when RN networks authentication method, and it is safer to make that network side RN networks based on certificate.

Figure 20 is the schematic flow sheet of radio node method of network entry the 12 embodiment of the present invention.The verification process of present embodiment is based on the authentication that has usim card among the RN, and RN is similar to attached UE.RN at first finishes the process that radio bearer is set up according to usim card wherein, the IP that sets up user's face/modern face of letter connects, restart internet key exchange second version (InternetKey Exchange version 2 based on the IP layer, abbreviation IKEv2) verification process based on certificate, the IPSec that sets up RN and its attached DeNB is connected, and finishes RN and goes into network process.As shown in figure 20, after finishing RN and going into network process, also comprise the steps:

Step 2001, RN send IKE security association initial negotiation (IKE_SA_INIT) request message to DeNB, have comprised parameter { HDR, SAi1, Kei, Ni} in this IKE_SA_INIT request message.

Wherein comprise Security Parameter Index (Security Parameter Indexes is called for short SPIs), version number and required sign among the message header HDR, SAi1 comprises that the initiator sets up the cryptographic algorithm that the IKE security association is supported, Kei is initiator's a DH parameter, and Ni is initiator's a random number load.

Step 2002, DeNB reply the IKE_SA_INIT response message to RN, have comprised parameter { HDR, SAr1, KEr, Nr, [CERTREQ] } in this IKE_SA_INIT response message.

Wherein, DeNB is placed on the algorithm of selecting among the SAr1; By mutual IKE_SA_INIT requests/response messages, initiator and response side have consulted needed cryptographic algorithm, identifying algorithm; By exchange Ni/Nr and Kei/Ker, finish the DH exchange, thereby both sides can calculate cipher key shared, this key is used for protecting the data of back and generates the needed key of IPsec security association; [CERTREQ] is the certificate request sign.

Step 2003, the RN DeNB under it sends the IKE_AUTH request message, has comprised parameter { HDR, SK, AUTH, SAi2, TSi, TSr, CFG_REQUEST} in this IKE_AUTH request message.

Wherein, the concrete implication of entrained parameter is: HDR comprises SPIs, version number and required sign, and SAi comprises that the initiator sets up the cryptographic algorithm that the IKE security association is supported; SK represents that message is protected, and AUTH is used for proving and knows the secret relevant with ID, simultaneously to carrying out integrity protection with current packet before; SAi2 has carried the cryptographic algorithm tabulation that is used for the IPsec security association, and TSi/TSr represents that the data flow protected by the IPsec security association, CFG_REQUEST are used for to the attached DeNB request certificate of RN to authenticate.

DeNB under step 2004, the RN sends the IKE_AUTH response message to RN, has comprised parameter { HDR, SK, AUTH, SAr2, TSi, TSr, [CERT], Config Payload, CFG_REQUEST} in this IKE_AUTH response message.

The certificate of DeNB under the RN is sent to RN so that RN finishes the authentication to the DeNB under it, and to RN request certificate to authenticate.

Step 2005, the RN DeNB under it sends the IKE_AUTH response message, in this IKE_AUTH response message, comprised parameter { HDR, SK, AUTH, SAr2, Tsi, TSr, [CERT], Config Payload}, bring DeNB under the RN with the certificate of RN, so that the DeNB under the RN finishes the authentication to RN.

Equally, because the restriction of message-length, in step 2004 and step 2005, the certificate of RN, the certificate of DeNB also can be considered to substitute with a long shorter certificates identified in position, rather than certificate itself, the entity that receives message so need at first be finished mutual with RA/CA, obtains the content of the indicated certificate of certificates identified, carries out the authentication based on the content of certificate of opposite end then.

Need to prove, in order to overcome the movably low problem of fail safe of usim card, finished the authentication that networks, after the IPSec that sets up RN and its attached DeNB is connected, also need to carry out the verification process of certificate, as described in above-mentioned step when RN uses usim card.On the network side node DeNB/MME of certificate verification, if the certificate verification of RN failure, the wireless connections/IPSec that then needs to trigger the Un interface between RN and the DeNB/MME connects and discharge or MME initiates RN Detach is gone the process registered.Have only the certificate verification success of RN, RN just can be used as a network node, activate the bearing function of Un interface, otherwise any UE can not pass through the RN access network.

Figure 21 is the structural representation of via node the 5th embodiment of the present invention.As shown in figure 21, this via node comprises: parameter Switching Module 2101, first sending module 2102, reception authentication module 2103 and second sending module 2104.Wherein, parameter Switching Module 2101, be used for after the process of finishing between via node and the donor base station that the Radio Resource control connection is set up and radio bearer is set up, send the related initial negotiation request message of internet cryptographic key exchanging safety to described donor base station, and the related initial negotiation response message of the internet cryptographic key exchanging safety that receives described donor base station answer, with the graceful parameter in Di Fei-Hull of graceful parameter in the Di Fei-Hull that exchanges described via node and described donor base station, the graceful parameter in described Di Fei-Hull is used to consult the safeguard protection alliance between described via node and the described donor base station; First sending module 2102 is used for sending the Internet Key Exchange authentication request message to described donor base station, carries the information of the certificate of the described donor base station of request in the described the Internet Key Exchange authentication request message; Receive authentication module 2103, be used to receive the Internet Key Exchange authentication response message of the certificate that carries described donor base station that described donor base station returns, and according to the certificate of described donor base station described donor base station is authenticated, also carry the information of the certificate of the described via node of request in the described the Internet Key Exchange authentication response message; Second sending module 2104 is used for sending to described donor base station the Internet Key Exchange authentication response message of the certificate that carries described via node, so that described donor base station authenticates described via node according to the certificate of described via node.

The via node that present embodiment provides, specific implementation radio node method of network entry sees said method the 12 embodiment for details, can realize when RN networks the authentication method based on certificate, and it is safer to make that network side RN networks.

Figure 22 is the structural representation of radio node networking the 5th embodiment of system of the present invention.As shown in figure 22, this radio node networking system comprises: donor base station 2201 and as the described via node 2202 of above-mentioned via node the 5th embodiment.Wherein, described donor base station 2201, be used to receive the related initial negotiation request message of described internet cryptographic key exchanging safety that described via node 2202 sends, and return the related initial negotiation response message of described internet cryptographic key exchanging safety to described via node 2202, with the graceful parameter in Di Fei-Hull of graceful parameter in the Di Fei-Hull that exchanges described via node 2202 and described donor base station 2201, the graceful parameter in described Di Fei-Hull is used to consult the safeguard protection alliance between described via node 2202 and the described donor base station 2201; Receive the described the Internet Key Exchange authentication request message that described via node 2202 sends, the information of carrying the certificate of the described donor base station 2201 of request in the described the Internet Key Exchange authentication request message; And return the described the Internet Key Exchange authentication response message of the certificate that carries described donor base station 2201 to described via node 2202, also carry the information of the certificate of the described via node 2202 of request in the described the Internet Key Exchange authentication response message; Receive the described the Internet Key Exchange authentication response message of the certificate that carries described via node 2202 of described via node 2202 transmissions, and described via node 2202 is authenticated according to the certificate of described via node 2202.

The radio node networking system that present embodiment provides, specific implementation radio node method of network entry sees said method the 12 embodiment for details, can realize when RN networks the authentication method based on certificate, and it is safer to make that network side RN networks.

One of ordinary skill in the art will appreciate that all or part of flow process that realizes in the foregoing description method, be to instruct relevant hardware to finish by computer program, described program can be stored in a computer and can obtain in the storage medium, this program can comprise the flow process as the embodiment of above-mentioned each side method when carrying out.Wherein, described storage medium can be magnetic disc, CD, read-only storage memory body (Read-Only Memory, ROM) or at random store memory body (Random AccessMemory, RAM) etc.

It should be noted that at last: above embodiment only in order to technical scheme of the present invention to be described, is not intended to limit; Although with reference to previous embodiment the present invention is had been described in detail, those of ordinary skill in the art is to be understood that: it still can be made amendment to the technical scheme that aforementioned each embodiment put down in writing, and perhaps part technical characterictic wherein is equal to replacement; And these modifications or replacement do not make the essence of appropriate technical solution break away from the spirit and scope of various embodiments of the present invention technical scheme.

Claims

1. a radio node method of network entry is characterized in that, comprising:

2. method according to claim 1 is characterized in that,

If the certificate table of the described donor base station that described donor base station sends is shown the identification information of certificate, then described before the certificate according to described donor base station authenticates described donor base station, also comprise: content from the identification information of described certificate to certificate center that obtain described certificate according to;

Described certificate according to described donor base station authenticates described donor base station, comprising: according to the content of the described certificate that obtains from described certificate center, described donor base station is authenticated.

3. a via node is characterized in that, comprising:

4. a radio node networking system is characterized in that, comprising: mobile management entity, the donor base station that is integrated with home subscriber server and via node as claimed in claim 4,

5. a radio node method of network entry is characterized in that, comprising:

6. method according to claim 5 is characterized in that,

If the certificate table of the described home subscriber server that home subscriber server sends is shown the identification information of certificate, then before described certificate according to described home subscriber server authenticates described home subscriber server, also comprise: content from the identification information of described certificate to certificate center that obtain described certificate according to;

Described certificate according to described home subscriber server authenticates described home subscriber server, comprising: according to the content of the described certificate that obtains from described certificate center, described home subscriber server is authenticated.

7. a via node is characterized in that, comprising:

8. a radio node networking system is characterized in that, comprising: mobile management entity, home subscriber server, donor base station and via node as claimed in claim 7,

9. a radio node method of network entry is characterized in that, comprising:

10. method according to claim 9 is characterized in that, described shared key is foundation key K or root key KASME;

When described shared key is foundation key K, before described and described mobile management entity carries out the control of Non-Access Stratum safe mode, also comprise:, authenticate and key agreement with mobile management entity based on described foundation key K.

11. method according to claim 9 is characterized in that,

If the certificate table of the mobile management entity that described mobile management entity sends is shown the identification information of certificate, before then described certificate according to described mobile management entity authenticates described mobile management entity, also comprise: content from the identification information of described certificate to certificate center that obtain described certificate according to;

Described certificate according to described mobile management entity authenticates described mobile management entity, comprising: according to the content of the described certificate that obtains from described certificate center, described mobile management entity is authenticated.

12. a via node is characterized in that, comprising:

13. a radio node networking system is characterized in that, comprising: be integrated with mobile management entity, donor base station and the via node as claimed in claim 12 of home subscriber server,

14. a radio node method of network entry is characterized in that, comprising:

15. method according to claim 14 is characterized in that,

The described graceful parameter in Di Fei-Hull that sends the certificate and the described via node of described via node to described donor base station, comprise: send the Radio Resource control connection to described donor base station and set up request message, described Radio Resource control connection is set up in the request message and is comprised: the graceful parameter of the certificate of described via node and the Di Fei-Hull of described via node;

The certificate of the described donor base station that the described donor base station of described reception sends and the graceful parameter in Di Fei-Hull of described donor base station, comprise: receive the Radio Resource control connection that described donor base station returns and set up message, described Radio Resource control connection is set up in the message and is comprised: the graceful parameter of the certificate of described donor base station and the Di Fei-Hull of described donor base station.

16. method according to claim 14 is characterized in that,

The certificate of the described donor base station that the described donor base station of described reception sends and the graceful parameter in Di Fei-Hull of described donor base station, comprise: the radio bearer that receives described donor base station transmission is set up message, and described radio bearer is set up in the message and comprised: the graceful parameter of the certificate of described donor base station and the Di Fei-Hull of described donor base station;

The described graceful parameter in Di Fei-Hull that sends the certificate and the described via node of described via node to described donor base station, comprise: return radio bearer foundation to described donor base station and finish message, described radio bearer is set up to finish in the message and is comprised: the graceful parameter of the certificate of described via node and the Di Fei-Hull of described via node.

17. method according to claim 16 is characterized in that, further comprises:

If described via node and described donor base station authentification failure then trigger described donor base station and initiate Radio Resource control connection dispose procedure, perhaps trigger described donor base station and indicate the process of described mobile management entity initiation described via node attachment removal.

18. method according to claim 14 is characterized in that,

The described graceful parameter in Di Fei-Hull that sends the certificate and the described via node of described via node to described donor base station, comprise: send the foundation of Radio Resource control connection to described donor base station and finish message, described Radio Resource control connection is set up to finish in the message and is comprised: the graceful parameter of the certificate of described via node and the Di Fei-Hull of described via node;

The certificate of the described donor base station that the described donor base station of described reception sends and the graceful parameter in Di Fei-Hull of described donor base station, comprise: the radio bearer that receives described donor base station transmission is set up message, and described radio bearer is set up in the message and comprised: the graceful parameter of the certificate of described donor base station and the Di Fei-Hull of described donor base station.

19. according to the arbitrary described method of claim 14-18, it is characterized in that,

If the certificate table of the described donor base station that described donor base station sends is shown the identification information of certificate, before then described certificate according to described donor base station authenticates described donor base station, also comprise: content from the identification information of described certificate to certificate center that obtain described certificate according to;

20. a via node is characterized in that, comprising:

21. a radio node networking system is characterized in that, comprising: donor base station and via node as claimed in claim 20,

22. a radio node method of network entry is characterized in that, comprising:

23. method according to claim 22 is characterized in that, further comprises:

24. a via node is characterized in that, comprising:

25. via node according to claim 24, it is characterized in that, also comprise: detect trigger module, be used for if detect described via node and described donor base station authentification failure, then trigger described donor base station and initiate Radio Resource control connection dispose procedure, perhaps trigger described donor base station and indicate the process of described mobile management entity initiation described via node attachment removal.

26. a radio node networking system is characterized in that, comprising: donor base station and as claim 24 or 25 described via nodes,